Introduction
I have heard from many people that they would like to be able to see which rules need to be updated. There is currently no easy way to do this in the Microsoft Sentinel portal. You can go through each page and see which ones have the “Update Available” tag in the name, but you cannot filter to just see those.
I have created a PowerShell script that will generate a CSV file showing the names of the rules that need to be updated and which section(s) have changes. This should make it somewhat easier to decide if you want to update the rule or not. If it is just the description being updated but you have customized the query, is it worth doing the update knowing you would have to redo the query?
I do not show the old and new versions of the fields since you can see that in the portal (and not because it would be very hard to do 🙂 ) Trying to show the query’s changes in an Excel file it quite difficult to do since there is a bunch of double double-quotes and commas that really mess things up.
The code can be found at garybushey/rulestobeupdated: Generate a report of the analytic rules that can be updated (github.com)
The Code
Most of the code is straight forward. Load the rules, load the Microsoft Sentinel rule templates, load the Solution rule templates (see Getting ALL the Microsoft Sentinel rule templates – Yet Another Security Blog (garybushey.com) If you don’t know why this is needed), and then iterate through the rules looking for a change in the template version.
One gotcha I did run into was comparing some of the array values like Entities, Tactics, and Techniques. I did not compare each and every entry in those arrays, just the arrays in general.
What happens is that some of the rules may not have some of those fields (especially older rules) or they may have them but they are empty arrays. The PowerShell “Compare-Object” command doesn’t like that so when I load those arrays I check to see if they are null or empty (array.count==0) and if so I just set them to a value, in this case “1”. Then I can do the comparison without any toruble.
I also ran into one case where the analytic rule had a template ID but the template did not exist anywhere, so I had to watch out for that.
Other than that, the code is very easy to follow (I hope)
I think I am checking all the various fields that we would care about, but if not, feel free to drop me a comment. I will mention that the rule templates do not have any place for any of the values in the “Incident Settings” tab in the Analytic rule wizard, so I didn’t check for any of those.
Summary
This PowerShell script will generate a CSV file showing you what rules need to be updated and what fields have changed. This should help you decide if you want to update the rule or not.
I am planning on using this file as an input into another PowerShell that will update the rules for you, if you want them do. I am thinking I can also have it just update the specific parts you want so if you just want the description to be updated but leave the rest alone, it will do that. Or you can just say I don’t want anything other than the version updated so you won’t see the “Update Available” tag anymore. Sound good?
This will be different than the code I posted for my blog post, Automatically apply updates to Analytic rules that have “Update Available” – Yet Another Security Blog (garybushey.com), which will update ALL rules with ALL changes.